With the development and progress of networks, user terminals become more intelligent, and have more functions. A terminal may not only access a mobile network, for example, a third generation mobile communication technology (3G) network, a Wireless Local Access Network (WLAN), or a Worldwide Interoperability for Microwave Access (WiMAX) network, move in a home network thereof, or roam to a network of another operator; but may also access a fixed network, for example, access based on a Digital Subscriber Line (DSL) or an optical fiber. However, no matter for the mobile access or the fixed access, and regardless of roaming or not, when a terminal intends to access a network and use various services provided by an operator, the network side performs an Authentication, Authorization and Accounting (AAA) process on the terminal, that is, first performs network access authentication on the user to verify validity of an identity of the user; after the authentication is completed, grants a corresponding authority to the user according to a type of a service applied for by the user; and finally, generates accounting information according to a condition about resources occupied/used by the user.
An AAA system architecture where a user moves to a visited network (Visited Network) and is connected to a home network through the visited network may be referred to as an AAA framework (AAA framework). The AAA framework includes an AAA client, an AAA proxy and a home AAA server. The AAA client is a network access server (NAS) located in a user access network, for example, a broadband remote access server (BRAS) device in a fixed network, or an access point (AP) device in a mobile network. The AAA proxy is an entity for processing an AAA protocol and forwarding an AAA message between the AAA client and the AAA server, and a local AAA server of the visited network or another intermediate network generally serves as the AAA proxy. The home AAA server and the local AAA server serving as the AAA proxy may be independent devices, or may be co-located with another entity.
In the AAA framework, the AAA entities interact with each other by using the AAA protocol. The AAA protocol may be a Remote Authentication Dial In User Service (RADIUS) protocol or a Diameter (Diameter) protocol. According to different protocols used, the AAA server may also be referred to as a Radius server, a Diameter server, and so on, and the names of the AAA client and the AAA proxy may also change similarly.
Similar to the AAA framework, an architecture where a user and a network perform mutual authentication may be referred to as an Extensible Authentication Protocol (EAP) framework (EAP framework). The EAP framework includes a user, an authenticator (Authenticator) and a home EAP server.
The user is a user terminal device that needs to access a network and access a network service, and has EAP authentication related protocol software (for example, EAPoL, that is, EAP over LAN).
The authenticator is a device for controlling physical access according to an authentication state of the user, and serves as a proxy between the user and an authentication server. The authenticator communicates with the user through a lower layer (for example, the EAPoL protocol), and for communication between the authenticator and the home EAP server, the EAP is borne on the AAA protocol (Diameter or Radius) or another upper layer protocol, and reaches the home EAP server after passing through a complex network. Finally, whether a port of the user is available is controlled according to an authentication result. The authenticator may be co-located with or be separated from the AAA client, and is generally located on a border gateway device, for example, the BRAS device or the AP device as described above.
The home EAP server is also referred to as a back-end server, performs authentication on the user, and after the authentication is successful, grants an authority of accessing a subscribed service, and the home EAP server is generally the home AAA server.
To save an authentication latency time, on the basis of the EAP authentication framework, an EAP Re-authentication Protocol (ERP) is proposed, which is implemented through the user and an EAP Re-authentication ER) server. The re-authentication mechanism basically includes two parts, namely, an ERP start process and a re-authentication process. The ERP start process is used for deriving a root key specific to a local domain from a root key shared between the user and the home EAP server after the user performs the EAP authentication, and sending the root key specific to the local domain to the ER server, so that the user may perform re-authentication with the ER server, without a need of going back to the home EAP server for authentication.
However, when the user moves to a new authenticator to perform re-authentication, the new authenticator reinitiates a new session for the user, and a session identifier of the new session is not updated by the home AAA server of the user, resulting in that what is maintained by the home AAA server is not the latest session of the user. When the home AAA server initiates a session refreshing or session termination (for example, user defaulting) or the network access server uses a session, the home AAA server does not operate the latest session of the user, resulting in an abnormal session and affecting the refreshing or termination of the service.